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herein by reference, 



BACKGROUND 

The present invention relates generally to hardware verification for electronic 
circuit designs. More particularly, the present invention relates to model checking and 
bounded model checking techniques fcr such verification. 

Recent advances in the design of application specific integrated circuits 
(ASIC) and system-on-chip (SoC) ciicuits are producing circuit designs of rapidly 
increasing complexity. These designs are driving the search for techniques that are 
capable of verifying such complex designs. 

Two commonly-used verification techniques are simulation and formal 
verification. Simulation involves driving test vectors into a behavioral representation 
of the design and monitoring the response. However, because the number of test 
vectors required for complete coverage rises exponentially with the number of input 
bits and state bits (flip-flops) in the design, simulation can explore only a very small 
portion of the possible traces of a design. For example, a design that has only 40 input 
bits and 40 state bits would require billions of years of simulation time for complete 
coverage. 

In contrast, model checking employs exhaustive mathematical techniques to 

a given design. A model checker uses a model 
input combinations, and covers all possible 
This is possible due to efficient techniques 



prove whether a property holds true for 
of the design to consider all possible 
reachable states to verify the property 



such as Boolean satisfiability engines lsed in model checkers that allow analysis of 



sets of states simultaneously, and only 



consider the logic in the cone of influence of 



the property the tool is verifying. A bounded model checker, like any model checker, 
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techniques to prove whether a property holds true 
certain cycle k. 



SUMMARY 



the< 
using 



using 



In general, in one aspect, th 
program for verifying a design of a 
design; providing a first property for 
first behavior; checking the model 
design starting at a reset state until an 
a second property for the design, 
behavior; and checking the model 
the design starting at a state when the 

Particular implementations can 
Providing the first property 
language stating that the first behavior 
comprises one or more environment 
first property comprises determining a 
the Boolean expression that causes the 
first behaviour. Implementations 
design when the example of the 
providing the environment of the 
providing the environment of the 
behavior occurs. The model of the 
wherein the environment of the design 
and wherein providing the environmem 
the first behavior occurs comprises at 
the state when the example of the first 
the environment variables and the 
example when the first behaviour occuds 

The details of one or more 
drawings and the description below 
description and drawings, and from thejclaims. 



fir»t 



desi^ 



invention features a method and computer 
circuit. It comprises providing a model of the 
design, wherein the first property describes a 
the first property and an environment of the 
example of the first behavior occurs; providing 
wherein the second property describes a second 
the second property and an environment of 
xample of the first behavior occurs. 

include one or more of the following features, 
es providing a statement in a specification 
does not occur. The environment of the design 
variables, wherein checking the model using the 
set of values for the environment variables of 
model of the design to show an example of the 
comprise providing a state of the model of the 
behavior occurs. Implementations comprise 
at the reset state. Implementations comprise 
at a state when the example of the first 
comprises one or more model variables; 
comprises one or more environment variables; 
of the design at the state when the example of 
east one of the group consisting of describing 
behavior occurs; and providing the values of 
model variables in each clock cycle preceding the 

impljementations are set forth in the accompanying 
Other features will be apparent from the 



design 
ddsign 
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[0013] 



[0014] 



DESCRIPTION 



FIGS. 1A, IB, and 1C show 
according to a preferred embodiment 

FIG. 2 shows a process that is 
IB, and 1C according to a preferred 

The leading digit(s) of each 
indicates the number of the drawing irl 
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OF DRAWINGS 

functional block diagram of a model checker 
(l>f the present invention. 

performed by the model checker of FIGS. 1A, 
embodiment of the present invention. 

reference numeral used in this specification 
which the reference numeral first appears. 



DETAILED I DESCRIPTION 

Formal verification is a narre for a variety of methods for proving the 
correctness of electronic circuit designs. Given a formal description of a design, and a 
formal specification of its desired behavior, formal verification methods can be used 
to mathematically prove that the design complies with its specification. For example, 
formal verification can be used to prove that a cache control unit complies with 
specified cache coherency rules. 

One family of formal verification tools is referred to as model checkers, A 
model checker is a software prograih that checks whether a model of the design 
satisfies a logical specification of th£ design. A model checker output is generally 
"pass" or '"fail," stating whether the design satisfies the specification (pass) or not 
(fail). When a model checker output it 'tail/' it produces a "counterexample," which 

no fails exist, the tool provides a "proof that 
;ion. A bounded model checker is a software 
program that checks whether a model of the design satisfies a logical specification of 
the design until some certain cycle k. When a mode! checker output is "fail," it 
produces a "counterexample" which is a waveform that describes the fail. 

However, conventional model checkers are limited by the size of design that 
they can explore in a reasonable airiount of time and using reasonable memory. 
Bounded model checkers are limited by the number of cycles of a design that can be 
checked in a reasonable amount of ti ne. With each cycle, the logic cone checked 
grows exponentially, as does the computer time required by the model checker, 
reaching days and weeks after only a few tens of cycles. Further, conventional use of 

checking with the reset state of the design. 



is a waveform that describes a fail. If 
the design complies with its specifica 



model checkers always begins model 
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FIGS. 1A, IB, and 1C show 
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cannot be reached with conventional model 



Therefore many states of the design 
checkers. 

According to embodiments of the present invention, a model checker is used 
to begin model checking with states other than the reset state of the design, 
Embodiments of the present inventior also use model checkers to locate examples of 
interesting behavior of the design, which can then be used as starting points for model 
checking. 



100 according to a preferred embodiment of the present invention. Model checker 



100 can be obtained as commercially- 



wailable software. Model checker 100 receives 



a model 102 of the design, an environment 104 for the design, which can be provided 



separately or as part of model 102 ) anc 



Design model 102 is a description of the design, and is preferably provided as 
a register-transfer-level (RTL) specification, although other descriptions can be used. 
Environment 104 describes the environment in which the design is intended to 
perform, including for example predetermined signals such as reset signals, clock 
signals, and the like. Preferably thi\ environment is described in a description 

choices of the environment next state, such as 
the Environment Description Language (EDL), although other descriptions can be 
used. 



Property 106 is a description o: 
For example, a property 106 can spdeify 
Properties 106 are conventionally derived 
is preferably provided in a language sijich 
Sugar, or the like. 



Model checker 100 generates a 
model 102, environment 104, and 



property 



Model checker 100 comprises 
representation 108. Preferably, in the 
model representation 108 is a Boolean 
and engine 110 is a Boolean satisfiabili y 

FIO. 2 shows a process 200 tha 
1A, IB, and 1C according to a prefejred 



unctional block diagrams of a model checker 



a property 106. 



one or more intended behaviors of the design, 
that a buffer overflow can never occur, 
from the design specification. Property 106 
as Property Specification Language (PSL), 



verification model representation 108 based on 
106. 



an engine 110 that verifies verification model 
:ase of bounded model checking, verification 
formula in conjunctive normal format (CNF) 
engine, although other engines can be used. 

is performed by model checker 100 of FIGS, 
embodiment of the present invention. In 



Customer Ho. 23624 



21. MAR. 2004 8:57 



MARVELL LTD 



Attorney Docket No. MP0404.I 



[0022] 



[0023] 



[0024] 
[0025] 



: occurrence 



herein 



particular, process 200 uses model 
behavior (referred to herein as the " 
the model 102 beginning with the 
to herein as the "property- oriented 
predetermined behavior is "buffer ful 
find an example of "buffer full," and 
begin model checking with that 

This process is referred to 
checker 100 is used to check beyond 
is a bounded model checker, the 
cycle limit. For example, if the cycle 
and no example of "buffer full" 
bounded model checker would be 
"buffer full." But by extending 
embodiments of the present inventidi 
full". This can happen since typically 
never fills" a model checker will be ab' 
apply to the spec-oriented property 

Referring again to FIG. 2, proc 
environment 104A of the design startiiig 
design that describes the predetermined 
106A describes "buffer not full." 
k meaning the predetermined behavior 
since typically property 106A involves 

Model checker 100 generates a 
on model 102, environment 104 A, and 



event' 



occurrence 



its 



tern 



oc :urs 
unable 
model 



Engine 110 checks model 102 
until an example of the predetermined 
such example exists. Other possible 
passed and the model checker has not 
to memory limits (step 206). If the 
counterexample is found, verification 
In the case of a SAT engine it is 
complies with the behavior described 
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checker 100 first to locate a predetermined 
oriented model check"), and then to check 
of that predetermined behavior (referred 
model check"). For example, where the 
process 200 first uses model checker 100 to 
then uses model checker 100 a second time to 
of "buffer full" to see what happens next. 

as "extended model checking," as model 
conventional limit. When model checker 100 
"extended" represents checking beyond the 
imit for a bounded model checker is 30 cycles, 
until cycle 30, a conventional use of a 
to check the design for what happens after 
checking to begin with "buffer full," 
can see what behavior occurs after "buffer 
for an event-oriented property such as "buffer 
e to find results beyond the 30 cycles limit that 



sss 200-provides a model 102 of the design, an 
at the reset state, and a property 106 A for the 
behavior (step 202). For example, property 
Typidally property 106A can be checked for a larger 
is searched for during more cycles. This is true 
less logic than a spec-oriented property, 

verification model representation 108A based 
property 106 A (step 204). 



using verification model representation 108A 
behavior occurs or until it is determined that no 
outcomes can be that "non-reasonable" time has 
reached a resolution or that the check failed due 
model checker run stops normally and no 
ihodel representation 108A is declared passed, 
dsclared unsatisfied, meaning that the design 
by the property 106 A from which the 
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[0026] 



[0027] 



[0028] 



[0029] 



[0030] 



verification model representation 10 IA was derived. For the present example, this 
means that the buffer never fills. For i bounded model checker, this means the buffer 
never fills until some predetermined cycle. It could also be that the model checker run 
does not stop in a reasonable time or fails due to a memory limit, In such a case it is 
unknown if the buffer fills or not. However, for our purpose this is the same as if the 
buffer never fills until cycle k since w 5 do not have a counterexample. 

Any counterexample found at step 206 represents an example of the 
occurrence of a behavior other than tiie behavior described by property 106 A. If no 
counterexample is found at step 206, no example of the predetermined behavior was 
found (step 208). 

Property 106A can be redefined (step 210). For example, redefined property 
106A can describe "buffer is never full minus one". Then steps 202, 204, and 206 are 
repeated. If a counterexample is noV' found (step 208), new steps can be applied 
searching for original property 106A, this time starting from the state of model 102 
for the example of the predetermined behavior, for the present example, searching for 
"buffer full" starting from "buffer full minus one." 

But if at step 206 a counterexample is found (step 208), meaning an example 
of the predetermined behavior was fou id, process 200 captures the state of model 102 
for the example of the predetermined t ehavior, and checks model 102 again, this time 
starting from the state of model 102 f 3r the example of the predetermined behavior, 
and using a property that describes a desired behavior of the design, such as 
properties derived from the specification for the design. The ability to capture the 
state of model 102 is provided by conventional model checkers. Let Ka represent the 
cycle in which the counterexample oc< urs. In the present example, Ka is the cycle in 
which the buffer fills. 

Refening to FIG. IB, procesi 200 provides an environment 104B of the 



design starting at the state of mode 
behavior and a property 106B for the 
behaviors of the design (step 212). Fot 



102 for the example of the predetermined 
design that describes one or more intended 
example, property 106B can be derived from 



the design specification. Property 1061! is preferably provided in a language such as 
Property Specification Language (PSL), Sugar, or the like. 

In some embodiments process :£00 provides environment 104B by providing 
the values of the environment variables In verification model representation 108A for 
each of the first Ka cycles of the event -oriented model check. In other embodiments 
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process 200 provides environment 
environment state variables in verification 
cycle of the event-oriented model chfeck 
behavior occurred (i.e. Ka), The capacity 
variables and the state of model 102 
checkers. 



by providing the values of the model and 
model representation 108A for the specific 
at which the example of the predetermined 
to provide the values of the environment 
Are provided as functions of conventional model 



[0031] Model checker 100 generates 

model 102, environment 1Q4B, and 
model 102 using verification model 
behavior of model 102 in the cycl 
behavior can be formally verified, 
checker this means reaching cycles 
checked without steps 202, 204, 206 
218), then process 200 is done (step 2: 

[0032] If desired, further property- 

the property-oriented model check 
the cycle limit of model checker 100, 
environment 104C of the design at 
property-oriented model check of 
describes one or more intended 
property other than property 106B 
verification model representation 108C 
property 106C (step 214). Engine 
representation 108C (step 216). This 
desired, 



that 



steta 



[0033] Apparatus of the invention 

product tangibly embodied in a machine 
programmable processor; and method 
programmable processor executing a 
the invention by operating on input 
implemented advantageously in one oi 
on a programmable system including a 
receive data and instructions from, 
storage system, at least one input device 
computer program can be implemente 
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verification model representation 108B based on 
property 106B (step 214). Engine 110 checks 
^presentation 108B (step 216). In this way the 
following the example of the predetermined 
\f hen model checker 100 is a bounded model 
could not be reached if property 106B was 
If no further model checking is desired (step 
:2). 

oriented model checks can be performed based on 
214, for example, to explore further beyond 
Referring to FIG. 1C, process 200 provides an 
state of model 102 for a selected cycle of the 
214 and property 106B for the design that 
behdviors of the design (step 220). Of course, a 
cipuld be used. Model checker 100 generates a 
based on model 102, environment 104B, and 
checks model 102 using verification model 
process can be repeated as many times as 



of step: 



the 



c^n be implemented in a computer program 
■readable storage device for execution by a 
steps of the invention can be performed by a 
program of instructions to perform functions of 
and generating output. The invention can be 
more computer programs that are executable 
least one programmable processor coupled to 
i to transmit data and instructions to, a data 
, and at least one output device. Each 
in a high-level procedural or object-oriented 
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[0034] 



programming language, or in assembly or machine language if desired; and in any 
case, the language can be a compiled or interpreted language. Suitable processors 
include, by way of example, both general and special purpose microprocessors. 
Generally, a processor will receive i istructions and data from a read-only memory 
and/or a random access memory. Generally, a computer will include one or more 
mass storage devices for storing data files; such devices include magnetic disks, such 
as internal hard disks and removable disks; magneto-optical disks; and optical disks. 
Storage devices suitable for tangibly embodying computer program instructions and 
data include all forms of non-volatile memory, including by way of example 
semiconductor memory devices, such as EPROM, EEPROM, and flash memory 
devices; magnetic disks such as internal hard disks and removable disks; magneto- 
opucal disks; and CD-ROM disks. 

A number of implementations of the invention have been described. 
Nevertheless, it will be understood that various modifications may be made without 
departing from the spirit and scope of the invention. Accordingly, other 
implementations are within the scope of the following claims. 
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